FOCUS 15 trains lens on the Threat Detection Lifecycle

The proliferation of technology – and how we consume it – are having profound effects on our productivity, work styles and service delivery. But these shifts are also having seismic impact on our ability to secure digital transactions. While cloud technologies have increased IT service efficiencies and enabled a workforce revolution, they have also served to blur the lines that marked the security perimeter in traditional IT environments. Similarly, the explosion of mobile devices has supported new degrees of work anywhere/anytime productivity, while introducing multiple new points of potential security failure, which are now expanding geometrically with the connection of ‘things’ in IoT. Add to this an evolving threat landscape characterized by insider threats, highly personalized attacks, attacks on machines – in volumes not seen before – and the outcome is corporate networks under constant siege and ever expanding levels of security breach that seem only to grow in terms of frequency and scope. What is to be done? The answer for Chris Young, newish SVP and GM of Intel Security, is “We’re going to rethink everything. Everything about our business, our people, our offerings so that we can do better at serving you.”

Chris Young, SVP and GM, Intel Security Group

Young was speaking at the FOCUS 15 Security Conference, an Intel event attended by 3,000 security professionals this October which marked the full incorporation of McAfee Inc., a subsidiary acquired back in 2010 that has until now operated under its own brand, into the Intel operational fold. This integration was initiated with a total revamp at the organizational level: in addition to Young, who arrived at Intel from Cisco via VMware, Intel used the FOCUS event to introduce a new leadership team (or new roles for existing execs), including Candace Worley (GM endpoint security), CTO Steve Grobman, Scott Lovett (global sales), Tom Fountain (strategy and business development), Scott Montgomery (CTO public sector), Barry McPherson (supply chain and facilities), John Giamatteo (GM consumer unit) and Brian Dye (GM corporate products) – a team constructed to drive Young’s “DNA change” of the security business.

According to Young, this executive transition is part of a larger repositioning for the company as a whole: namely, Intel’s commitment to “having security at the core of their offerings,” a new approach inspired by the “connected experience” that IoT represents, a “new paradigm where security will have to be core to everything that we do.” For the Security Group, this means a shift away from the delivery of siloed protection products and technologies to a new strategy in which Intel acts as enterprise security partner, delivering an integrated approach to solving threat problems for the customer. Intel is calling this new strategy the “Threat Defense Lifecycle.”

So what will this integration look like? With the help of some customer testimonials, Young outlined some of the potential in the new approach. Vanessa Pegueros, VP and CISO, at DocuSign, for example, described the work the cloud-based document management company is doing with Intel to integrate security into its web gateway and into the processing of customer documents, its exploration of ATD, and integration of security into the development process. Going forward, Young added, Intel intends to “become more aggressive about the delivery of solutions via the cloud,” has committed to re-architecting its web gateway products to deliver more security for cloud. Intel also intends to take advantage of cloud speed and scale to extend the reach and effectiveness of its Global Threat Intelligence service, and to support the sharing of threat intelligence with and between third party users of its DXL collaboration platform in the creation of a security ecosystem. Intel, according to Young, is moving to a “‘Cloud First’ model, and has completed the integration of its Network Security Platform with VMware’s NSX SDN for the delivery of intrusion prevention services brokered by the Intel Security Controller into corporate networks, and has integration with OpenStack on its roadmap.

Another key piece in the Threat Defence Lifecycle is development of the capabilities needed to “detect” and “correct” in addition to the more traditional “protect.” To demonstrate this, Intel made a number of product announcements, including Endpoint Security 10.X, which the company claims provides better protection, detection and performance on the end point device (89% better CPU utilization and 18% faster boot time), as well as new capabilities in McAfee Active Response, a solution that provides analytics to enable the user to “Go on the Offense,” – weeding through the volume of attacks that occur to hunt for the 1% of threats that really matter. An additional goal of Active Response is to shorten the time from detection to correction through automation – and ultimately prove the business value in security investments, an ongoing challenge for security professionals in their conversations with executive management. To underscore the importance of analytics to this conversation, Sunil Varkey, CISO for Wipro Technologies, described the company’s “Zero malware initiative” undertaken in partnership with Intel Security aimed at reducing the company’s daily $4,000 bill for controlling malware. According to Varkey, Intel Security “delivered them 95% clean and the company now sees [only] 20 incidents a day” but key to this success was “analysing the data to understand where the attacks were coming from.”

Digging deeper into Intel’s new approach to security with product demos, Brian Dye, newly minted corporate VP of the Intel Security Group and GM of corporate products, summarized new capabilities by looking at in the Threat Defence Lifecycle through three different lenses: endpoint, cloud and advanced attack, as follows.

Endpoint is first line of defense – The endpoint is super broadly defined and there are many different devices, ranging from servers to mobile and IoT, but a critical factor is that many of these don’t have enough compute to run a lot of security. To address this issue, Intel is looking to provide security on behalf of customers in a cloud assisted way. Dye pointed to the new Endpoint Security 10.x, which features many performance improvements, but also a better user interface to improve the customer experience: Intel has “translated security to English” to provide actionable threat intelligence, and has developed a new security architecture that will enable the addition of new components to provide an “exceptional upgrade path,” he noted. In demonstration, the automation of threat detection and containment in Endpoint Security 10.x and the simultaneous “closed loop automation” in the cloud offered a good example of Intel’s vision for integrated security.

At cloud level – Cloud means a lot of things, and the types of infrastructure are varied: security must manage infrastructure, applications and data for private, public and SaaS IT service delivery models. In public cloud, Dye argued, it’s critical to bring your security protocols with you – and to help, Intel Security announced two new SaaS-oriented products: Data Loss Prevention, and File & Removable Media Protection, which support cloud-based systems with encryption to provide additional layer of protection.

Detection and Analysis – Describing processes for dealing with advanced attacks, Dye advised starting with the collection of data sources and threat intelligence delivered via the DXL platform. This data can then be transferred to an analytics repository, from which the automation of corrections begins. With McAfee Active Response, Dye explained, the user moves from analytics to pivoting and hunting and then to remediation, transitioning from “historian to hunter” who is able to “detect the undetectable.”

Throughout FOCUS 15, a key message animating the Threat Defense Lifecycle concept was the importance of integration for the purpose of delivering outcomes. As Young noted, “we have been so focused in the security industry on delivering point solutions that we don’t see what the outcomes are.” But how is it possible to provide customers with transparency on the effectiveness of their security strategy, when absence is the key characteristic of success? On this score, Dye offered compelling insight into how metrics can be deployed to demonstrate security business value. “This is the opportunity for the industry,” he argued. “If we can get clear on the [security] system and on the outcomes the system is making, then we as a technology provider, with consent, can start bringing in the telemetry. We could look at 5,000 organizations around the world – at their bulk stats, just at the waterfall level, through those four key steps: protection, detection, correction and efficiency. If you could benchmark 5,000 organizations on that and then tell your entire customer base, ‘here’s where you stack’, you would have a relative comparison that customers don’t have today. That would be hugely beneficial to them.”

And is it possible to “become clear on system outcomes”? Happily for Intel, the answer lies in transparency delivered through new product capabilities: “We have a tremendous number of metrics that are in the technology today to provide that end-to-end visibility,” Dye explained. In his view, key indicators of security system effectiveness include metrics on: how many threats are stopped or get through defenses; how accurately the user is driving the detection of threats that do penetrate, and what is the lifecycle or time to achieve correction? And on the question of efficiency, the key metric is the ability of an analyst to “crank through events” – or more simply put, “the number of events per analyst per day.” For Dye, this type of measurement is a “game changer” that will help Intel transition security from a ‘must do but don’t really want to pay for’ activity to a source of business value. “This is one of the reasons I joined Intel,” he concluded, “and one of the big opportunities Chris and the whole team see, which will change the entire industry conversation around security.”

InsightaaS is a boutique analyst firm, and is a unique destination site for IT and business managers interested in exploring the ‘why’ in enterprise technology.
InsightaaS fills a niche between the trade press and traditional analyst firms: we provide more depth of analysis than the press, and unlike leading analyst firms like Gartner Group, we focus on engagements that allow us to share the insights we develop with the broader community.